b'Office of Inspector General\n\n\nJuly 25, 2014\n\nMEMORANDUM\n\nTO:                  SEC, Director of Security, Mark Webb\n\nFROM:                IG/A/PA, Director, Jon Chasson /s/\n\nSUBJECT:             Evaluation of USAID\xe2\x80\x99s Implementation of Executive Order 13526, Classified\n                     National Security Information (Report No. 9-000-14-002-S)\n\nThis memorandum transmits our final report on the subject evaluation. In finalizing the report,\nwe considered your comments on the draft evaluation and have included them in Appendix II.\n\nThe report contains 11 recommendations to help strengthen the implementation of USAID\xe2\x80\x99s\nclassified national security program. We acknowledge your management decisions on all the\nrecommendations and final action on 4 and 6. Please provide the Audit Performance and\nCompliance Division with the necessary documentation to achieve final action on the other\nrecommendations.\n\nThank you and your staff for the support and courtesies extended to us during this evaluation.\n\n\n\n\nU.S. Agency for International Development\nOffice of Inspector General\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nhttp://oig.usaid.gov\n\x0cSUMMARY\nThe Reducing Over-Classification Act, Public Law 111-258, was enacted in October 2010 to\nprevent overclassification of information and to promote sharing information within the Federal\nGovernment, with state and local government, and with the private sector. It followed President\nBarack Obama\xe2\x80\x99s December 2009 Executive Order 13526, \xe2\x80\x9cClassified National Security\nInformation,\xe2\x80\x9d which \xe2\x80\x9cprescribes a uniform system for classifying, safeguarding and declassifying\nnational security information.\xe2\x80\x9d According to the order, \xe2\x80\x9cProtecting information critical to our\nNation\xe2\x80\x99s security and demonstrating our commitment to open Government through accurate and\naccountable application of standards and routine, secure, and effective declassification are\nequally important priorities.\xe2\x80\x9d\n\nSection 6 of the Act, \xe2\x80\x9cPromotion of Accurate Classification of Information,\xe2\x80\x9d includes the following\nrequirement for Office of Inspector General (OIG) evaluations:\n\n       [T]he inspector general of each department or agency of the United States with\n       an officer or employee who is authorized to make original classifications, in\n       consultation with the Information Security Oversight Office, shall carry out no less\n       than two evaluations of that department or agency or a component of the\n       department or agency\n\n       (A) to assess whether applicable classification policies, procedures, rules, and\n           regulations have been adopted, followed, and effectively administered within\n           such department, agency, or component; and\n\n       (B) to identify policies, procedures, rules, regulations, or management practices\n           that may be contributing to persistent misclassification of material within such\n           department, agency or component.\n\nThis requirement applies to USAID because the Agency has four positions with original\nclassification authority (OCA) up to the secret level. There are two types of classifications\xe2\x80\x94\noriginal and derivative. According to USAID\xe2\x80\x99s policy glossary, original classification involves\nmaking an \xe2\x80\x9cinitial determination that information requires, in the interest of national security,\nprotection against unauthorized disclosure,\xe2\x80\x9d and derivative classification involves \xe2\x80\x9creproducing,\nextracting, or summarizing classified information, or applying classification markings derived\nfrom source material or as directed by a classification guide.\xe2\x80\x9d All of the approximately\n2,600 USAID employees with a security clearance have derivative classification authority.\n\nThis is the first of two OIG evaluations responding to the act. We used the guide for conducting\nevaluations developed by the Department of Defense OIG. 1 In accordance with the act, we\nconducted the evaluation in consultation with the Information Security Oversight Office (ISOO),\npart of the National Archives and Records Administration that is responsible to the President for\npolicy and oversight of the U.S. Government\xe2\x80\x99s security classification system.\n\nUSAID\xe2\x80\x99s primary policy for implementing the order is Automated Directives System (ADS) 568,\n\xe2\x80\x9cNational Security Information Program,\xe2\x80\x9d maintained by the Agency\xe2\x80\x99s Office of Security. The\n\n1\n A Standard User\xe2\x80\x99s Guide for Inspectors General Conducting Evaluations under Public Law 111-258, the\n\xe2\x80\x9cReducing Over-Classification Act,\xe2\x80\x9d January 22, 2013.\n\n                                                                                                  1\n\x0cdirector of that office reports annually to the director of ISOO and is responsible for confirming\nthat USAID implements the order.\n\nADS 568 delegates responsibility for maintaining a system of accounting for top-secret\ninformation to USAID\xe2\x80\x99s Executive Secretary. For USAID missions, the Embassy\xe2\x80\x99s regional\nsecurity officer is responsible for the security programs. USAID missions may not store\nclassified information and must process classified information in the Embassy.\n\nOIG\xe2\x80\x99s Performance Audits Division conducted this evaluation. The objectives were to:\n\n1. Assess whether applicable classification policies, procedures, rules, and regulations have\n   been adopted, followed, and effectively administered within USAID; and\n\n2. Identify policies, procedures, rules, regulations or management practices that may be\n   contributing to persistent misclassification of material within USAID.\n\nUSAID\xe2\x80\x99s classification policy (ADS 568) generally meets the requirements set forth in the order,\nbut it needs updating to reflect current practice. In addition, USAID has not published a\nclassification guide. 2 In response to the second objective, we did not find evidence of persistent\nmisclassification of material within USAID. However, we did find other problems, listed below.\n\n\xe2\x80\xa2   USAID reported incorrect classification statistics (page 4). Agencies with OCA are required\n    to report classification statistics to ISOO each year. USAID sampled staff on how many\n    classification decisions they performed over a 2-week period and projected from the sample\n    to estimate how many of each type of classification (confidential, secret, or top secret) were\n    made for the year; however, we found errors in USAID\xe2\x80\x99s calculations.\n\n\xe2\x80\xa2   USAID\xe2\x80\x99s self-inspection program did not include representative samples of classified\n    documents (page 5). In addition, the security office had not reviewed classified documents\n    from the electronic network.\n\n\xe2\x80\xa2   Classified documents were marked incorrectly (page 6). Although none of the 21 documents\n    in our sample was overclassified, only 5 were marked correctly.\n\n\xe2\x80\xa2   USAID did not issue a classification guide or update parts of the classification policy\n    (page 7). The order requires agencies to develop their own classification guide, but USAID\n    currently uses the State Department\xe2\x80\x99s.\n\n\xe2\x80\xa2   Agency staff did not receive guidance on the ClassNet marking tool (page 8). For e-mailing\n    and processing confidential and secret information, USAID uses ClassNet, an electronic\n    network with service provided by the State Department. ClassNet users said they would like\n    more guidance on how to use the marking tool.\n\n\xe2\x80\xa2   OCAs did not receive customized training (page 9). USAID only offers a combined training\n    for derivative and original classifiers.\n\n\n\n2\n  ADS 568 states that a classification guide is \xe2\x80\x9ca documentary form of classification guidance issued by\nan original classification authority that identifies the elements of information regarding a specific subject\nthat must be classified and establishes the level and duration of classification for each such element.\xe2\x80\x9d\n\n                                                                                                           2\n\x0cTo address these problems and strengthen USAID policies and procedures for classified\ninformation, we recommend the Office of Security:\n\n1. Develop, implement, and document a sampling method for reporting classification decisions\n   that can be projected to the total population of classifiers at USAID (page 5).\n\n2. Train employees who are required to report information on classification decisions to make\n   sure they understand their reporting duties, and document such training (page 5).\n\n3. Update ADS 568 to state that inspections of classified documents shall be conducted using\n   a representative sample (page 6).\n\n4. Conduct inspections of classified information using a formal process with a representative\n   sample, and document the results of the testing (page 6).\n\n5. Implement a procedure to work with the Chief Information Office during inspections to\n   sample users of the electronic system (ClassNet) and test for overclassification and\n   classification markings (page 6).\n\n6. Identify documents marked incorrectly during inspections and explain proper marking to\n   employees performing the classifications, and document the results (page 7).\n\n7. Identify employees who perform a large quantity of derivative classifications, and enforce\n   proper management of classified information by including it as an element in their\n   performance evaluations (page 7).\n\n8. Publish USAID\xe2\x80\x99s classification guide during fiscal year 2014 (page 8).\n\n9. Update ADS 568 to reflect the Agency\xe2\x80\x99s current requirements for employees recording\n   classification decisions (page 8).\n\n10. Work with the Chief Information Office to train ClassNet users on how to use the marking\n    tool, and document such training (page 9).\n\n11. Provide customized OCA training annually to original classifiers, and document that they\n    have completed the training (page 9).\n\nDetailed findings follow. The evaluation\xe2\x80\x99s scope and methodology appear in Appendix I.\nManagement comments appear in their entirety in Appendix II, and our evaluation of them is on\npage 10 of the final report.\n\n\n\n\n                                                                                           3\n\x0cEVALUATION RESULTS\nUSAID Reported Incorrect\nClassification Statistics\nExecutive Order 13526 and its implementing directive, 32 Code of Federal Regulations Part\n2001, require agencies to report annual statistics on their security classification programs using\nStandard Form 311, \xe2\x80\x9cAgency Security Classification Management Program Data,\xe2\x80\x9d to ISOO. The\ndirector of ISOO tells agencies what statistics should be included in their reporting.\n\nISOO guidelines state, \xe2\x80\x9cActual counts of classification decisions for a 52-week period are\nalways preferred, but for many large agencies this may not be practical,\xe2\x80\x9d thus allowing agencies\nto use a sampling technique if they determine it is impractical to provide actual counts of top-\nsecret, secret, and confidential derivative classification decisions. USAID decided to use ISOO\xe2\x80\x99s\nsampling technique, and we confirmed with ISOO that agencies have discretion over their\nsampling methodology. This includes defining the population, sample number, and duration.\n\nThe Agency did not report any original classifications from 2010 through 2013. Table 1 shows\nthe number of derivative classifications USAID reported.\n\n               Table 1. Derivative Classifications Reported to ISOO (Unaudited)\n       Year           Top Secret                Secret             Confidential            Total\n       2010                0                       0                     0                    0\n       2011               10                     195                    14                  219\n       2012                0                     312                  104                   416\n       2013             208                      494                  208                   910\n\nWe found errors in the number of derivative decisions reported to ISOO. In 2013 the Office of\nSecurity sampled 20 percent of Agency staff on how many classification decisions they\nperformed over a 2-week period. The office intended to project that information to the entire\nAgency for the course of the year by multiplying by 5 and 26, respectively. 3 However,\nemployees in that office did not use the multiplier (5) to project to the total population, leading to\nan incorrectly calculated estimate of classified decisions for 2013. They also did not document\nhow the sample and population were determined.\n\nWe spoke with administrative management specialists (AMSs) and administrative assistants\ntasked with providing classification statistics to the Office of Security for USAID\xe2\x80\x99s 2013 reporting\nto ISOO. 4 Several said they did not understand the tasks they were required to perform. For\nexample, one AMS confused derivative classification authority with OCA. She said her office\ndoes not produce classified information because it does not have the authority to do so.\nHowever, all USAID employees with a security clearance have derivative classification authority,\n\n\n3\n  According to ISOO, a derivative classification count of a 20 percent sample population is multiplied by\n5 to project to the total population (100 percent). Because the sample captures data for a 2-week period,\nthe count is multiplied by 26 to get the full year classification count.\n4\n  To collect information on classification decisions, the Office of Security sends a PowerPoint document to\nAMSs with reporting instructions. In it, AMSs are asked to collect information over a 2-week period.\n\n                                                                                                         4\n\x0cand we reviewed derivatively classified documents from that office, which means it performs\nderivative classification decisions.\n\nOne administrative assistant reported four top-secret derivatively classified decisions to the\nOffice of Security. When asked by the evaluation team who classified these documents, she\nsaid the documents were provided to her office by USAID\xe2\x80\x99s Office of the Executive Secretariat\nand were classified by other agencies. She said she misunderstood what was being asked and\nhad reported to the Office of Security the number of documents that her office received, not the\nnumber her office derivatively classified. This error led to over-reporting the Agency\xe2\x80\x99s top-secret\nderivative classifications in 2013.\n\nSecurity officials agreed that using ISOO guidance not tailored to a USAID-specific sampling\nmethod and population led to incorrect reporting of classification statistics. While the office\nprovided a PowerPoint document to teach AMSs on how to report classification decisions, some\nof them did not understood what was required.\n\nWithout a well-documented sampling method for reporting classification decisions and correct\nclassification decision data, the Office of Security is at risk of continuing to provide inaccurate\nstatistics to ISOO on the Agency\xe2\x80\x99s security classification program.\n\n   Recommendation 1. We recommend that the Office of Security develop, implement,\n   and document a sampling method for reporting classification decisions that can be\n   projected to the total population of classifiers at USAID.\n\n   Recommendation 2. We recommend that the Office of Security train employees who\n   are required to report information on classification decisions to make sure they\n   understand their reporting duties, and document such training.\n\nSelf-Inspection Program Did Not\nInclude Representative Samples of\nClassified Documents\nThe order states that agencies shall establish and maintain a self-inspection program and report\nresults annually to the ISOO director. One of the program\xe2\x80\x99s activities is to conduct \xe2\x80\x9cregular\nreviews of representative samples of their original and derivative classification actions.\xe2\x80\x9d\n\nThe Office of Security does not use a representative sample when reviewing classified material,\nand it does not keep a log of any marking errors. Instead, three security specialists perform\nrandom inspections of bureaus/independent offices (B/IOs) at USAID. They look at a random\nnumber of classified documents in each office safe, but they do not document how many safes\nor documents they review.\n\nAdditionally, most of USAID\xe2\x80\x99s classification actions occur in ClassNet, but Office of Security\nemployees do not review information in the system. As a result, they do not review most of the\nAgency\xe2\x80\x99s original and derivative classification actions.\n\nSecurity officials agreed that the process of reviewing classified documents should be more\nformal, and they developed a template to be used in future inspections. Additionally, because\nUSAID does not create a significant amount of classified information, inspection findings\nfocused on activity and security container checklists not being completed or retained, missing\n\n                                                                                                 5\n\x0csigns to indicate copiers and shredders are not authorized for classified documents, and\nimproperly stored safe combinations instead of whether documents were classified correctly.\nChecking whether classified materials are marked appropriately could be useful for identifying\ntrends and weaknesses in training.\n\nThe officials said they asked the Office of the Chief Information Officer (CIO) for access to\nreview e-mails in the State Department\xe2\x80\x99s ClassNet system but were not able to get it. They\nreported this in the 2011, 2012, and 2013 reports to ISOO. State Department officials confirmed\nthere is no way to separate USAID e-mails from State Department e-mails in ClassNet.\n\nBecause there is no formal documentation or process for the Office of Security\xe2\x80\x99s self-\ninspections of classified documents, we could not verify compliance with this component of the\norder. Furthermore, because the majority of classified documents at USAID are classified\nderivatively using ClassNet and the Office of Security is not reviewing that system, it is not\naware whether information is being overclassified or mismarked.\n\n    Recommendation 3. We recommend that the Office of Security update Automated\n    Directives System 568 to state that inspections of classified documents shall be\n    conducted using a representative sample.\n\n    Recommendation 4. We recommend that the Office of Security conduct inspections of\n    classified information using a formal process with a representative sample, and\n    document the results of the testing.\n\n    Recommendation 5. We recommend that the Office of Security implement a procedure\n    to work with the Chief Information Office during inspections to sample users of the\n    electronic system (ClassNet) and test for overclassification and classification markings.\n\nClassified Documents Were Marked\nIncorrectly\nThe order states that people who derivatively classify information shall:\n\n\xe2\x80\xa2   Be identified by name and position.\n\n\xe2\x80\xa2   Include all classification markings in any newly created document.\n\n\xe2\x80\xa2   Identify the source document or classification guide.\n\n\xe2\x80\xa2   Reprint the \xe2\x80\x9cdeclassify on\xe2\x80\x9d line from the source document.\n\n\xe2\x80\xa2   Clearly mark materials with the highest classification level of information contained in it.\n\n\xe2\x80\xa2   Mark each portion of a derivatively classified document immediately before the portion it\n    applies to.\n\nAdditionally, the order states that personnel who regularly apply derivative classification\nmarkings be evaluated in their performance rating on their designation and management of\nclassified information.\n\n\n                                                                                                   6\n\x0cAs part of the evaluation, 21 documents from 5 B/IOs within USAID were reviewed. None of the\n21 documents were overclassified. However, several were marked with only the classification\nlevel, making it difficult to evaluate the appropriateness of the classification, and only\nfive reviewed had correct markings. We found the following marking errors.\n\n\xe2\x80\xa2   12 documents did not include the source the document was derived from.\n\xe2\x80\xa2   12 documents did not include the duration of the classification.\n\xe2\x80\xa2   10 documents did not have markings before each portion of the document.\n\xe2\x80\xa2   4 documents did not have proper overall markings.\nDuring the course of the evaluation, we noticed several other drafts of classified documents\xe2\x80\x94\nnot selected in our sample or included in the counts above\xe2\x80\x94that were missing appropriate\nmarkings.\n\nSome employees who performed the derivative classifications in the sample were not sure of\nwhat constituted a derivative classification. Others said they do not regularly perform derivative\nclassifications as part of their job. However, everyone interviewed had attended the\nclassification or annual refresher trainings and was informed on how to mark classified materials\ncorrectly.\n\nBecause there are no consequences for incorrect classification markings, employees have little\nincentive to mark documents accurately. Office of Security officials said they have been working\nwith the Office of Human Resources to put language into staff performance evaluations\nregarding classification and marking procedures.\n\nWhen documents\xe2\x80\x94even in draft form\xe2\x80\x94are not marked correctly, the classified status of\ninformation and level of protection required is unknown. There is a possibility that documents\ncould be distributed improperly to people without a need to know, or that people will overclassify\nimproperly marked documents as a precautionary measure. Improper safeguarding is a threat to\nnational security, and overclassification prohibits the sharing of information.\n\n    Recommendation 6. We recommend that the Office of Security identify documents\n    marked incorrectly during inspections and explain proper marking to employees\n    performing the classifications, and document the results.\n\n    Recommendation 7. We recommend that the Office of Security identify employees who\n    perform a large quantity of derivative classifications, and enforce proper management of\n    classified information by including it as an element in their performance evaluations.\n\nUSAID Did Not Issue Classification\nGuide or Update Parts of\nClassification Policy\nThe order requires agencies with OCA to develop classification guides. USAID, however, did\nnot, and it currently uses the State Department\xe2\x80\x99s guide. Office of Security officials said they\nhave been drafting a guide for more than 3 years and intend to release it in 2014. They said\nthey had not published the guide yet because of changes in management and competing\npriorities.\n\n\n\n                                                                                                7\n\x0cUSAID\xe2\x80\x99s primary guidance on implementing the order is ADS 568. This guidance generally\nmeets the requirements set forth in the order, but it needs to be updated to adjust sections no\nlonger applicable. For example, the ADS states:\n\n\xe2\x80\xa2   AMSs for the Administrator, Deputy Administrator, and Inspector General must maintain a\n    log of all classified decisions made annually.\n\n\xe2\x80\xa2   B/IOs must maintain a centralized log of all classification activity.\n\n\xe2\x80\xa2   All employees who derivatively or originally classify documents must maintain an\n    unclassified record of those activities.\n\nSecurity officials said USAID employees are no longer required to maintain the logs and that the\nrequirement was applicable when most classified information was processed on paper rather\nthan electronically.\n\nTherefore, until ADS 568 is updated, USAID staff will continue to use guidance no longer\ndeemed applicable by the Office of Security. The Agency will not be compliant with the order\xe2\x80\x99s\nrequirements and will continue to make classification decisions based on the State\nDepartment\xe2\x80\x99s guidance until a USAID-specific guide is published.\n\n    Recommendation 8. We recommend that the Office of Security publish USAID\xe2\x80\x99s\n    classification guide during fiscal year 2014.\n\n    Recommendation 9. We recommend that the Office of Security update Automated\n    Directives System 568 to reflect the Agency\xe2\x80\x99s current requirements for employees\n    recording classification decisions.\n\nAgency Staff Did Not Receive\nGuidance on ClassNet Marking Tool\nThe order mandates USAID to establish and maintain a security education and training\nprogram. ADS 568.3.4 states the training program will ensure that employees are aware of their\nresponsibilities concerning classified information such the procedures for classification, marking,\ncontrol, storage, transmission, and destruction.\n\nAgency employees use ClassNet to e-mail and process confidential and secret information. The\nservice provider for ClassNet is the State Department. According to the Office of the CIO,\nUSAID/Washington has approximately 120 ClassNet terminals and about 450 user accounts.\n\nEmployees who need to access ClassNet must undergo training, which consists of CIO\xe2\x80\x99s cyber-\nawareness training and Office of Security\xe2\x80\x99s training. We spoke with 14 USAID employees who\nregularly use ClassNet. Some said they used the marking tool recently for classifying e-mails\nand added that they would like more guidance on using it. They also gave suggestions such as\nproviding a tutorial, including the tool in security training, e-mailing a guide to ClassNet users, or\noffering a drop-down menu with options.\n\nCIO staff said the ClassNet marking tool was deployed only on updated terminals;\nconsequently, not all employees have seen it. Security officials said they would work with CIO to\ntrain employees how to use the tool.\n\n                                                                                                    8\n\x0cBecause the majority of classifications are performed electronically, it is important that system\nusers are trained adequately to mark electronic documents, including e-mails and attachments.\nIf users do not use the marking tool correctly, information may not be controlled or transmitted\nappropriately.\n\n      Recommendation 10. We recommend that Office of Security work with the Chief\n      Information Office to train ClassNet users on how to use the marking tool, and document\n      such training.\n\nOriginal Classification Authorities\nDid Not Receive Customized Training\nThe order states, \xe2\x80\x9cAll original classification authorities must receive training in proper\nclassification . . . at least once a calendar year.\xe2\x80\x9d Furthermore, ADS 568.3.4.4 states that the\nOffice of Security \xe2\x80\x9cwill provide training for all OCAs\xe2\x80\x9d\xe2\x80\x94implying this training is unique. Both the\norder and ADS 568 require derivative classifiers to receive training at least once every 2 years.\n\nThe training program that the Office of Security provides meets the requirements outlined in the\norder. To verify compliance, the office uses a computer system to track employees\xe2\x80\x99 training.\n\nWe verified the records for 17 employees with derivative classification authority, and all had\ncompleted training within 2 years. However, we found that not all OCAs completed their training\nwithin 1 year.\n\nWhile conducting the sample, two documents were found from fiscal years 2011 and 2012 that\nwere prepared by an OCA, with \xe2\x80\x9creason\xe2\x80\x9d for the classification in the marking block. This\nindicates the documents were originally classified; if they were derivatively classified, they would\nhave had \xe2\x80\x9csource\xe2\x80\x9d in the marking block. However, these documents were not reported to the\nOffice of Security and therefore not reported to ISOO during the annual reporting process, as\nrequired. 5\n\nThe Office of Security\xe2\x80\x99s current training program is for both original and derivative classifiers.\nSecurity officials recognized the need for specific OCA training, and the office developed a\nmodule to address those requirements during our evaluation.\n\nIf OCAs do not receive specific training on their duties and responsibilities, there is a greater\npotential for overclassification. Additionally, they may continue to make original classifications\nwithout informing the Office of Security. This affects the accuracy of the classification decisions\nreported to ISOO. It also makes it difficult for the office to review original classification decisions\nand verify that OCAs are classifying and safeguarding information appropriately.\n\n      Recommendation 11. We recommend that the Office of Security provide customized\n      original classification authority training annually to original classifiers, and document they\n      have completed the training.\n\n\n\n\n5\n    The annual reporting process is explained on page 4 of this report.\n\n                                                                                                       9\n\x0cEVALUATION OF MANAGEMENT\nCOMMENTS\nIn their comments on the draft evaluation report, agency officials agreed with all\n11 recommendations, and we acknowledge management decisions on all of them. 6 Based on\nour review of management\xe2\x80\x99s comments and supporting documentation, we agree that final\naction has been taken on Recommendations 4 and 6. A detailed evaluation of management\ncomments follows.\n\nRecommendation 1. The Office of Security updated and documented the sampling\nmethodology for completing ISOO reporting requirements. Final action requires that the office\nimplement the updated methodology during the next ISOO reporting period, which staff said is\nin October 2014.\n\nRecommendation 2. Officials in the Office of Security said they plan to train AMSs responsible\nfor completing Standard Form 311, used to report classification statistics annually to ISOO.\nFinal action requires that AMSs receive training and that the training is documented. The Office\nof Security expects final action to be completed by September 2014.\n\nRecommendation 3. The Office of Security provided draft revisions of ADS 568 stating that\nitems covered during the security inspection program would include representative sampling of\noriginal and derivative classification actions. Final action requires issuing the updated ADS,\nwhich the Office of Security expects will be completed by October 30, 2014.\n\nRecommendation 4. The Office of Security updated the process for inspecting classified\ndocuments and documented results for B/IOs tested in May and June 2014. Based on the\ncomments and supporting documentation provided, we acknowledge that the office made a\nmanagement decision and that final action has been taken.\n\nRecommendation 5. The Office of Security updated its sampling procedures to meet ISOO\nreporting requirements, and it developed a classification action log for Agency staff to report\nclassification actions they performed in ClassNet. Final action requires that the office implement\na procedure for testing for overclassification and classification markings in ClassNet.\n\nRecommendation 6. The Office of Security updated its procedures for inspecting safes,\nproviding corrective training to staff whom improperly marked documents, and documenting the\ntraining. Based on the comments and supporting documentation of May and June 2014\ninspections, we acknowledge that the office made a management decision and that final action\nhas been taken.\n\nRecommendation 7. The Office of Security coordinated with the Office of Human Resources\nand proposed language to include in annual performance evaluations for USAID employees\nwho routinely create or handle classified information. Final action requires that the appraisals\ninclude this new performance element, and the office expects final action to be completed by\n6\n  The draft evaluation report dated May 27, 2014, contained 14 recommendations. Due to revisions of\n12 FAM 530, three of these recommendations were no longer relevant and were removed from the final\nreport.\n\n                                                                                                10\n\x0cJanuary 1, 2015.\n\nRecommendation 8. The Office of Security drafted a security classification guide and provided\nit to ISOO for review and comment. Final action requires that the guide is issued, which the\noffice expects would be done by September 30, 2014.\n\nRecommendation 9. The Office of Security drafted revisions to ADS 568 to reflect USAID\xe2\x80\x99s\nrequirements for employees recording classification decisions. Final action requires that the\nupdated ADS 568 be issued, which the office expects would be done by September 30, 2014.\n\nRecommendation 10. Office of Security officials said they are coordinating with the CIO and\nState Department on deploying ClassNet training. Final action requires that ClassNet users\nreceive training and that training is documented, which the office expects would be completed\nby December 30, 2014.\n\nRecommendation 11. The Office of Security developed an OCA training package. Final action\nrequires the OCAs complete the training and that the training is documented, which the office\nexpects would be completed by September 30, 2014.\n\n\n\n\n                                                                                          11\n\x0c                                                                                       Appendix I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nOIG\xe2\x80\x99s Performance Audits Division carried out this evaluation in response to a mandate in the\nReducing Over-Classification Act. We believe our work on this evaluation fulfills that mandate.\nThe evaluation was conducted in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s 2012 Quality Standards for Inspection and Evaluation.\n\nFieldwork was performed in Washington, D.C., from February 5 to April 3, 2014. OIG reviewed\nclassification management policies and practices within USAID, including those developed\ninternally, and assessed whether existing procedures are appropriate to make sure that\nclassified national security information is classified and marked properly.\n\nThe evaluation covered the period from June 2010 to April 2014. This report is directed to Office\nof Security staff responsible for the Agency\xe2\x80\x99s implementation of Executive Order 13526.\n\nMethodology\nTo plan for this evaluation, we reviewed the Reducing Over-Classification Act, Executive\nOrder 13526, ISOO guidance for implementing the order, applicable regulations, and relevant\nOIG work. We also reviewed USAID\xe2\x80\x99s National Security Information Program policy and\nexternal reporting, internal inspections, and self-assessments pertaining to classification\nrequirements. To compare USAID to other agencies, we conducted this evaluation using the\nDepartment of Defense\xe2\x80\x99s A Standard User\xe2\x80\x99s Guide for Inspectors General Conducting\nEvaluations Under Public Law 111-258, the \xe2\x80\x9cReducing Over-Classification Act.\xe2\x80\x9d\n\nDuring fieldwork, we interviewed staff from the Office of Security, Office of the Executive\nSecretariat, and Office of the CIO responsible for implementing the order, maintaining\naccountability of classified materials, and verifying that Agency personnel with classification\nauthority are compliant with training requirements. We interviewed 14 employees who\nperformed derivative classifications or have authority to do so. We interviewed AMSs who have\nclassification reporting duties. We reviewed the Office of Security\xe2\x80\x99s reports to ISOO and the\nsupporting data used to report statistics on the Agency\xe2\x80\x99s classification program. To test training,\nwe compared requirements mandated by the order to USAID guidance and training materials.\nWe also tested 20 employees\xe2\x80\x99 training records to determine whether they were current on\ntraining requirements.\n\nFor this evaluation, we did not review classified e-mails in ClassNet or JWICS or SCI\ndocuments maintained in the SCIFs. Instead, we reviewed paper documents. To sample\nclassified materials, we selected seven B/IOs with the aim of reviewing five documents in each\nB/IO. However, in some B/IOs we found fewer than five, and two B/IOs did not have any\nclassified paper documents for the team to review. Overall, we reviewed 21 classified\ndocuments in five B/IOs. Additionally, classified documents in USAID\xe2\x80\x99s two SCIFs were\nreviewed with the support of Office of Security and Office of the Executive Secretariat staff. The\ntwo SCIF reviews did not identify any top-secret materials classified by USAID employees.\n\n\n\n\n                                                                                                12\n\x0c                                                                                        Appendix I\n\n\nWe judgmentally selected the 21 classified documents because USAID does not have a\nuniverse, or log of classified materials that could be used for statistical sampling. Therefore, the\nevaluation results cannot be projected to the entire population. The evaluation team entered\neach B/IO, moving from safe to safe with the assistance of the AMS until at least five documents\nwere reviewed or the team determined five paper documents were not available.\n\n\n\n\n                                                                                                 13\n\x0c                                                                                          Appendix II\n\n\n\n\nMANAGEMENT COMMENTS\n\n\n\n                                                               July 7, 2014\n\n\nMEMORANDUM\n\nTO:            IG/A/PA, Martha Chang, Acting Director\n\nFROM:          SEC/OD, Mark Webb, Director of Security /s/\n\nSUBJECT:       Office of Inspector General Evaluation of USAID\xe2\x80\x99s Implementation of Executive\n               Order 13526, Classified National Security Information (Report No. 9-000-14-\n               00X-S).\n\n\nThank you for affording USAID Office of Security (SEC) with an opportunity to respond to the\ndraft audit of USAID\xe2\x80\x99s Implementation of Executive Order (E.O.) 13526. SEC has reviewed the\ndraft audit findings and recommendations and we are working diligently to address the\nweaknesses identified in the report. SEC reached management decisions on all 14\nrecommendations. Recommendations to 5 of the 14, specifically 1, 4, 5, 6 and 11, have been\nfully implemented. We have responded to 9 of the 14 recommendations outlined in the draft\nOIG report dated May 27, 2014 by taking the following actions:\n1. RECOMMENDATION: Develop, implement, and document a sampling method for\nreporting classification decisions that can be projected to the total population of classifiers at\nUSAID.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. Standard Operating Procedures\n       have been developed and implemented which include a specific sampling methodology\n       for completing the SF-311 that is consistent with the Information Security Oversight\n       Office (ISOO) guidance for original and derivative classification reporting. OIG auditors\n       reviewed the SOP and SEC requests that this recommendation be closed.\n2. RECOMMENDATION: Train employees who are required to report information on\nclassification decisions to make sure they understand their reporting duties, and document such\ntraining.\n\n\n                                                                                                     14\n\x0c                                                                                     Appendix II\n\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. Although training had been\n       provided to AMS Officers on the completion of the SF-311 form, it was determined they\n       did not understand the requirements of this task. A training curriculum has been\n       developed for completing the SF-311. SEC will provide training to AMS Officers\n       responsible for completing the SF-311 report by September 30th of each year\n       (anticipating the report is due to ISOO on/about October 30). The completed training\n       will be made part of the official training records.\n3. RECOMMENDATION: Update ADS 568 to state that inspections of classified documents\nshall be conducted using a representative sample.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with the recommendation. Agency policy has been drafted to\n       include a representative sampling of classification actions for original and derivative\n       classification and is pending for the clearance process. OIG auditors reviewed this draft\n       and agreed that once published this recommendation could be closed. Target completion\n       date for official publication is October 30, 2014.\n4. RECOMMENDATION: Conduct inspections of classified information using a formal process\nwith a representative sample, and document the results of the testing.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with the recommendation. Standard Operating Procedures\n       (SOPs) have been revised to include conducting a representative sampling of original and\n       derivative classified documents from all safes during the inspection period. All final\n       inspection reports will include the findings. The SOP has been reviewed by OIG\n       auditors, and SEC requests this recommendation be closed.\n5. RECOMMENDATION: Implement a procedure to work with the Chief Information Office\n(CIO) during inspections to sample users of the electronic system (ClassNet) and test for over-\nclassification and classification markings.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. Self-Inspection Program SOPs\n       have been revised to also include methodology for a representative sampling of\n       classification actions performed on Information Technology systems. OIG auditors have\n       reviewed this SOP and SEC requests this recommendation be closed.\n6. RECOMMENDATION: Identify documents marked incorrectly during inspections and\nexplain proper marking to employees performing the classifications, and document the results.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. A review of classified documents\n       is now conducted during the annual inspection period; findings are reported in the final\n       inspection report. Training will be provided within 30 days to USAID employees that\n       have incorrectly marked documents. The inspection SOP has been updated to reflect this\n       change. OIG auditors have reviewed this SOP and SEC requests this recommendation be\n       closed.\n7. RECOMMENDATION: Identify employees who perform a large quantity of derivative\nclassifications, and enforce proper management of classified information by including this duty\nas an element in their performance evaluations.\n\n\n                                                                                                15\n\x0c                                                                                    Appendix II\n\n\n   \xe2\x80\xa2   RESPONSE: SEC concurs with this recommendation. SEC has coordinated the\n       requirement and proposed language be incorporated as a critical performance element in\n       annual performance appraisals with the Office of Human Resources (OHR). SEC is\n       currently waiting for approval from OHR. The target completion date is January 1, 2015.\n8. RECOMMENDATION: Publish USAID\xe2\x80\x99s classification guide during fiscal year 2014.\n\n   \xe2\x80\xa2   RESPONSE: SEC concurs with the recommendation. The draft Security Classification\n       Guide was provided to ISOO on June 20, 2014 for review and comment before final\n       publication. SEC anticipates incorporating ISOO comments/suggestions and publishing\n       the final SCG by September 30, 2014.\n9. RECOMMENDATION: Update ADS 568 to reflect the Agency\xe2\x80\x99s current requirements for\nemployees recording classification decisions.\n\n   \xe2\x80\xa2   RESPONSE: SEC concurs with this recommendation. Agency policy has been drafted\n       and is pending SEC Management approval prior to being sent for Agency clearance.\n       Target completion date is September 30, 2014.\n10. RECOMMENDATION: Require TSCOs and alternate TSCOs are designated, and\ndocument the designations.\n\n   \xe2\x80\xa2   RESPONSE: 12 FAM 530 which established the authority and policy requirements for\n       the TSCO was rescinded effective October 1, 2013, thus removing general TSCO policy\n       guidance and requirements. Agency policy changes to remove all references to TSCO\n       have been drafted and are pending the clearance process for formal publication. The\n       target completion date is September 1, 2014.\n11. RECOMMENDATION: Develop training for TSCOs, and document and track training\ncompliance in accordance with Agency policies.\n\n   \xe2\x80\xa2   RESPONSE: 12 FAM 530 which established the authority and policy requirements for\n       the TSCO was rescinded effective October 1, 2013, thus removing general TSCO policy\n       guidance and requirements. SEC requests this recommendation be closed.\n12. RECOMMENDATION: Work with the Office of the Executive Secretariat (ES) to\nimplement standard operating procedures that account for reproductions of classified documents\nin accordance with the Foreign Affairs Manual.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. SEC will collaborate with ES to\n       develop a SCIF SOP outlining internal control measures to adequately safeguard TS\n       material. The target completion date is August 1, 2014.\n13. RECOMMENDATION: Work with the Chief Information Office to train ClassNet users on\nhow to use the marking tool, and document such training.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. Although SEC provides initial and\n       annual training on the proper markings for classified documents, additional training for\n       the ClassNet (now Thin Client) automated marking tool may be required. SEC will\n\n                                                                                             16\n\x0c                                                                                     Appendix II\n\n\n       coordinate with CIO on strategies to deploy training on the marking tool. Coordination\n       and collaboration between SEC, CIO and the Department of State is currently underway\n       to address this recommendation. The target completion date is December 30, 2014.\n14. RECOMMENDATION: Provide customized OCA training annually to original classifiers,\nand document they have completed the training.\n\n   \xe2\x80\xa2   RESPONSE: SEC agrees with this recommendation. An OCA training package has\n       been developed. The four USAID OCAs will receive OCA training and completion will\n       be made part of the official training records. The target completion date is September 30,\n       2014.\nIf you have questions about the responses, please feel free to contact Kim Bazemore at (202)\n712-1374, or email: kbazemore@usaid.gov.\n\n\n\n\n                                                                                               17\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel: 202-712-1150\n            Fax: 202-216-3047\n            http://oig.usaid.gov\n\x0c'